Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
you must write your application safely. it sounds like you're trying to prevent a user from changing their userid. after they log in, you could create a session variable with their userid and only use that session variable. i still use register_globals=on with my code, but i have the following c

Re: register_globals in php4

2002-05-09 Thread Simon Huggins
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: > Yes. But when a user type the url something like login.php?id=fakeid > Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? > How do I avoid users affecting the system by changing the variable > values in the URL d

Re: register_globals in php4

2002-05-09 Thread Patrick Hsieh
Hello "Christian G. Warden" <[EMAIL PROTECTED]>, Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is t

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the "id" variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http:/

register_globals in php4

2002-05-09 Thread Patrick Hsieh
Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3&sex=female Does it work

Re: register_globals in php4

2002-05-09 Thread Christian G. Warden
you must write your application safely. it sounds like you're trying to prevent a user from changing their userid. after they log in, you could create a session variable with their userid and only use that session variable. i still use register_globals=on with my code, but i have the following

Re: register_globals in php4

2002-05-09 Thread Simon Huggins
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: > Yes. But when a user type the url something like login.php?id=fakeid > Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? > How do I avoid users affecting the system by changing the variable > values in the URL

Re: register_globals in php4

2002-05-09 Thread Patrick Hsieh
Hello "Christian G. Warden" <[EMAIL PROTECTED]>, Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is